In response to trends, heightened public awareness, and a string of large-scale data breaches, states continue to enhance their data breach notification laws. In 2017, Maryland amended its Personal Information Protection Act (PIPA) with expansion of the definition of personal information, modification of the definition of “breach of the security of the system,” establishing a 45-day timeframe for notification, and expansion of the class of information subject to Maryland’s data destruction laws. Now, Maryland has again amended PIPA, with HB 1154 in effect from October 1, 2019, notably enhancing the requirements for a business once it becomes aware of a data security breach.
Under PIPA, prior to HB 1154, a business that owns or licenses personal information and that became aware of a data security breach was required to conduct a reasonable, prompt and good faith investigation to determine the likelihood that personal information had been or will be misused as a result of the breach. The new amendment expands the meaning of covered businesses for this purpose to include all businesses that own, license or maintain the personal information of Maryland residents.
That said, if a business that maintains the personal information incurs a breach, it is still the obligation of the business that owns or licenses that information to notify affected residents of the breach. Moreover, if the business that incurs the breach is not the owner or licensee of the personal information, the business may not charge the owner or licensee a fee for providing information that the owner or licensee needs to make a notification.
In addition, a business that owns or licenses personal information cannot use information related to the breach for any purpose other than for:
- Providing notification of the breach;
- Protecting or securing personal information; or
- Providing notification to national information security organizations created for information sharing and analysis of security threats, to alert and avert new or expanded breaches.
New trends and events likely will continue to prompt legislatures to amend their data breach notifications laws. Businesses should develop their incident response plans with flexibility as a key component to ensure compliance with the most current breach notification requirements.